In the early 13th Century, the besieged Château Gaillard fell to King Philip of France when a soldier found a way into the castle through a latrine chute. As unpleasant as this must have been, that was all it took to gain access and open the gates. The castle fell and, because Château Gaillard guarded the route into Normandy, three hundred years of Norman independence ended a few months later. The Château's castellan had ignored the latrine chute's vulnerability and left it unguarded, instead choosing to rely on the castle's walls, high ground and barricades. Compounding this, the castellan had made no preparations to repel anyone who did find their way in.
In 800 years, it seems, our approach to security hasn't shifted far: we expect that robust defences will protect us from attacks, and fail to prepare for when a breach does occur. An attacker does not need or want to bash his head against firewalls, intrusion detection systems and thorough network segmentation. The vast majority of cyber attacks are automated, indiscriminate and target known vulnerabilities. A single cyber criminal can be responsible for hundreds of attacks per day, without any specialised training.
Most organisations don't have impressive defences like Château Gaillard – as Target and several other recent breaches demonstrate – which means that today's cyber attackers don't have to be as resourceful as the French in 1204, or as sophisticated as those who target choice economic and strategic organisations. Clearly, cyber security should not be the end-goal – this is akin to hiding behind the walls of Château Gaillard. What organisations should be aiming for is cyber resilience – the ability to respond to and recover from cyber attacks. However effective you may think your outward-facing defences are, today's cyber attacker will find a way in – and, if you have made no preparations for responding to a breach, you will suffer severe damage.
This was brought into stark relief with the recent attack on Code Spaces. Even without the theft of any data, Code Spaces was pushed out of business due to a lack of adequate incident management and business continuity planning. These should now be seen as essential extensions of cyber security.
The Verizon 2014 Data Breach Investigations Report says that 92 percent of all security incidents can be described by nine basic patterns: sophistication and novelty are clearly not prerequisites for making an attack. Furthermore, the report demonstrates that nearly all breaches took less than a day to achieve, while less than one in four breaches had been discovered a day later. It is during this lag between the attack and the organisation recognising it that damage occurs, but it doesn't need to be irreparable.
Cyber resilience is mapped against the lifecycle of a cyber attack, ensuring that the threat is countered at each stage. To begin, an information security regime protects the organisation's information from a host of threats and mitigates vulnerabilities. This is expanded through the application of cyber risk controls, which can be drawn from a multitude of sources depending on your organisation's needs and practices. When an attack is identified – which will happen sooner if your controls are rigorous – your incident response procedures kick in, isolating the attack surface, quarantining systems, and preserving security for areas as yet unaffected. With the attack neutralised or stalled, business continuity plans can be invoked to minimise ongoing damage and returning the organisation to full functionality as quickly as possible.
The Information Security Breaches Survey 2014, commissioned by the UK's Department of Business, Innovation and Skills, claims that large organisations were breached a median of 21 times in 2013. An effective resilience posture helps organisations survive inevitable and unavoidable breaches, and with the potential damage and costs that can come from data breaches, to not have a resilience strategy is a fool's choice. This is a fact of doing business in the modern world, and potentially affects the whole organisation. If an attack gets through your defences, the ability to respond and recover will be immeasurable.
Contributed by Alan Calder, founder and executive chairman, IT Governance Ltd